Ports

Port 53: DNS

Domain Name System queries and responses. UDP for most lookups, TCP for transfers and large replies.

Where you will see it: You will see this in scans, firewall rules, vulnerability reports, and service configs. Treat open ports as exposure points and verify the service is expected, hardened, and restricted.

What it is

Port 53 is the default port for DNS, and it is a good example of why the transport protocol matters as much as the port number. A port is a transport layer number used together with an IP address and a protocol such as TCP or UDP to direct traffic to the correct service on a host.

A server process binds a socket to a port and listens, while a client typically chooses an ephemeral source port for outbound connections. The combination of source and destination IP addresses, source and destination ports, and the transport protocol uniquely identifies a flow so the operating system can keep many conversations separate.

Firewalls, NAT, and scanners talk about ports because the destination port is the stable rendezvous point that exposes a service to the network. Most everyday DNS lookups use UDP 53: a client sends a small query from an ephemeral source port to the resolver on destination port 53, and the resolver replies back to that source port.

TCP 53 is also important. It is used when a response does not fit in a single UDP message, when reliability is required, and for zone transfers between authoritative servers.

In real networks this means firewalls often need to allow both UDP and TCP 53 for resolvers and authoritative DNS, even if you only think about the quick UDP query path. Security wise, exposed DNS can be abused for information gathering, amplification attacks if recursion is open, and as a control channel when attackers tunnel data through DNS queries.

How it works in broad strokes

  1. A client sends a query to a resolver asking for a record such as A, AAAA, or MX.
  2. The resolver answers from cache or recursively queries authoritative servers and returns the result.
  3. If the reply is too large or needs reliability, the exchange falls back to TCP for the same port.

Concrete example

A browser loads a website. It asks the configured resolver for the domain IP over UDP 53. The resolver returns a cached answer, and the browser then connects to the site on 443.

Why it matters

DNS is foundational. If DNS is misconfigured or compromised, users get redirected, services fail, and security controls break. In security work, DNS traffic is also a goldmine for detection because it shows what hosts are trying to reach and can reveal tunneling or command and control patterns.

Security angle

  • Separate recursive resolvers from authoritative servers and restrict who can query what.
  • Use DNSSEC validation where appropriate and monitor for unusual query patterns.
  • Protect against amplification abuse with rate limiting and response size controls.

Common pitfalls

  • Exposing an authoritative DNS server without proper hardening or rate limiting.
  • Assuming DNS is always UDP and forgetting TCP based transfers and large responses.
  • Ignoring split horizon DNS differences between internal and external zones.